We Still Don't Know Who Hacked Sony

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.theatlantic.com/international/archive/2015/01/we-still-dont-know-who-hacked-sony-north-korea/384198/

If anything should disturb you about the Sony hacking incidents and
subsequent denial-of-service attack against North Korea, it’s that we still
don’t know who’s behind any of it. The FBI said in December that North
Korea attacked Sony. I and others have serious doubts. There’s
countervailing evidence to suggest that the culprit may have been a Sony
insider or perhaps Russian nationals.

No one has admitted taking down North Korea’s Internet. It could have been
an act of retaliation by the U.S. government, but it could just as well
have been an ordinary DDoS attack. The follow-on attack against Sony
PlayStation definitely seems to be the work of hackers unaffiliated with a
government.

Not knowing who did what isn’t new. It’s called the “attribution problem,”
and it plagues Internet security. But as governments increasingly get
involved in cyberspace attacks, it has policy implications as well. Last
year, I wrote:

"Ordinarily, you could determine who the attacker was by the weaponry. When
you saw a tank driving down your street, you knew the military was involved
because only the military could afford tanks. Cyberspace is different. In
cyberspace, technology is broadly spreading its capability, and everyone is
using the same weaponry: hackers, criminals, politically motivated
hacktivists, national spies, militaries, even the potential cyberterrorist.
They are all exploiting the same vulnerabilities, using the same sort of
hacking tools, engaging in the same attack tactics, and leaving the same
traces behind. They all eavesdrop or steal data. They all engage in
denial-of-service attacks. They all probe cyberdefences and do their best
to cover their tracks.

"Despite this, knowing the attacker is vitally important. As members of
society, we have several different types of organizations that can defend
us from an attack. We can call the police or the military. We can call on
our national anti-terrorist agency and our corporate lawyers. Or we can
defend ourselves with a variety of commercial products and services.
Depending on the situation, all of these are reasonable choices.

"The legal regime in which any defense operates depends on two things: who
is attacking you and why. Unfortunately, when you are being attacked in
cyberspace, the two things you often do not know are who is attacking you
and why. It is not that everything can be defined as cyberwar; it is that
we are increasingly seeing warlike tactics used in broader cyberconflicts.
This makes defence and national cyberdefence policy difficult."

In 2007, the Israeli Air Force bombed and destroyed the al-Kibar nuclear
facility in Syria. The Syrian government immediately knew who did it,
because airplanes are hard to disguise. In 2010, the U.S. and Israel
jointly damaged Iran’s Natanz nuclear facility. But this time they used a
cyberweapon, Stuxnet, and no one knew who did it until details were leaked
years later. China routinely denies its cyberespionage activities. And a
2009 cyberattack against the United States and South Korea was blamed on
North Korea even though it may have originated from either London or Miami.

When it’s possible to identify the origins of cyberattacks—like forensic
experts were able to do with many of the Chinese attacks against U.S.
networks—it’s as a result of months of detailed analysis and investigation.
That kind of time frame doesn’t help at the moment of attack, when you have
to decide within milliseconds how your network is going to react and within
days how your country is going to react. This, in part, explains the
relative disarray within the Obama administration over what to do about
North Korea. Officials in the U.S. government and international
institutions simply don’t have the legal or even the conceptual framework
to deal with these types of scenarios.

The blurring of lines between individual actors and national governments
has been happening more and more in cyberspace. What has been called the
first cyberwar, Russia vs. Estonia in 2007, was partly the work of a
20-year-old ethnic Russian living in Tallinn, and partly the work of a
pro-Kremlin youth group associated with the Russian government. Many of the
Chinese hackers targeting Western networks seem to be unaffiliated with the
Chinese government. And in 2011, the hacker group Anonymous threatened NATO.

It’s a strange future we live in when we can’t tell the difference between
random hackers and major governments, or when those same random hackers can
credibly threaten international military organizations.

This is why people around the world should care about the Sony hack. In
this future, we’re going to see an even greater blurring of traditional
lines between police, military, and private actions as technology broadly
distributes attack capabilities across a variety of actors. This
attribution difficulty is here to stay, at least for the foreseeable future.

If North Korea is responsible for the cyberattack, how is the situation
different than a North Korean agent breaking into Sony’s office,
photocopying a lot of papers, and making them available to the public? Is
Chinese corporate espionage a problem for governments to solve, or should
we let corporations defend themselves? Should the National Security Agency
defendU.S. corporate networks, or only U.S. military networks? How much
should we allow organizations like the NSA to insist that we trust them
without proof when they claim to have classified evidence that they don’t
want to disclose? How should we react to one government imposing sanctions
on another based on this secret evidence? More importantly, when we don’t
know who is launching an attack or why, who is in charge of the response
and under what legal system should those in charge operate?

We need to figure all of this out. We need national guidelines to determine
when the military should get involved and when it’s a police matter, as
well as what sorts of proportional responses are available in each
instance. We need international agreements defining what counts as cyberwar
and what does not. And, most of all right now, we need to tone down all the
cyberwar rhetoric. Breaking into the offices of a company and photocopying
their paperwork is not an act of war, no matter who did it. Neither is
doing the same thing over the Internet. Let’s save the big words for when
it matters.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!